| Titel | AlejandroArciniegas mcp-data-vis 1.0.0 SQL Injection |
|---|
| Beschreibung | AlejandroArciniegas mcp-data-vis contains an SQL injection vulnerability in src/servers/database/server.js. The create_table tool constructs a CREATE TABLE statement by embedding an attacker-controlled schema value directly into SQL text and executes it with db.exec() without parameterization or strict validation. An attacker who can invoke the vulnerable MCP handler can execute unintended SQL statements against the application's SQLite database, which may result in unauthorized data access, modification, or deletion. |
|---|
| Quelle | ⚠️ https://github.com/wing3e/public_exp/issues/19 |
|---|
| Benutzer | BigW (UID 96422) |
|---|
| Einreichung | 16.03.2026 10:23 (vor 21 Tagen) |
|---|
| Moderieren | 01.04.2026 15:03 (16 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 354654 [AlejandroArciniegas mcp-data-vis MCP server.js request SQL Injection] |
|---|
| Punkte | 20 |
|---|